Security for Changing Software and Systems Jan Jürjens TU Dortmund & Fraunhofer ISST http://jan.jurjens.de
The Forgotten End of the System Life-cycle Challenges: • Software lifetime often longer than intended (cf. Year-2000-Bug). • Systems evolve during their lifetime. • In practice evolution is difficult to handle. Problem: Critical requirements (e.g. security) preserved ? Jan Jürjens: Security for Changing Software and Systems 2/19
Model-based Security Engineering with UMLsec Security Requirements Evolution Inte- Analyse grate Generate UMLsec Models Configuration Data Verify Code-/ Reverse Configure Testgen. Engin. Runtime System Code Execute Jan Jürjens: Security for Changing Software and Systems 3/19
Challenge: Evolution Each artifact may evolve. To reduce costs, reuse verification results as far as possible. Under which conditions does evolution preserve security? Even better: examine possible future evolution for effects on security. • Check beforehand whether potential evolution will preserve security. • Choose an architecture during the design phase which will support future evolution best wrt. security. Jan Jürjens: Security for Changing Software and Systems 4/19
Model Formalization Formalize model execution. For transition t=(source,msg,cond[msg],action[msg],target) and message m , execution formalized as: Exec(t,m) = [state current =source m=msg cond[m]=true action[m] state current.t(m) =target ]. (where state current current state; state current.t(m) state after executing t ). Example: Transition t 0 : t 0 Exec(t 0 ,m)= [ state current =NoExtraService [money+x>=1000] m=wm(x) money current +x>=1000 money current.t0(m) =money current +x [money+x<1000] state current.t0(m) =ExtraService ]. Jan Jürjens: Security for Changing Software and Systems 5/19
Formalization of Requirements Example „ secure information flow “: No information flow from confidential to public data. Analysis: If states state current , state‘ current differ only in confidential attributes, then publically observable behaviour should be same: state current ≈ pub state‘ current state current.t(m) ≈ pub state‘ current.t(m) ( state current ≈ pub state‘ current : same publically observable behaviour; state current.t(m) : next state after executing t(m) ). Example : Insecure: confidential attribute money influences return value of public method rx() . ExtraService ≈ pub NoExtraService aber nicht: ExtraService.rx() ≈ pub NoExtraService.rx() [money+x>=1000] [money+x>=1000] [money+x<1000] [money+x<1000] Jan Jürjens: Security for Changing Software and Systems 6/19
Evolution vs. Design- / Architectural Principles Consider design- / architectural principles supporting evolution. Under which conditions are requirements preserved ? Design technique : Refinement of specifications. Supports evolution between refinements of an abstract specification. Architectural principle : Modularization supports evolution by restricting impact of change to modules. Different dimensions: • Architectural layers • Component -oriented architectures • Service -oriented architectures • Aspect -oriented architectures For each discovered conditions under which requirements are preserved. Explain this at the hand of security requirements. Ochoa, Jürjens, Warzecha : A Sound Decision Procedure for the Compositionality of Secrecy. ESSoS’12 Ruhroth, Jürjens. Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec . HASE’12 Schmidt, Jürjens: Connecting Security Requirements Analysis and Secure Design Using Patterns and UMLsec . CAiSE’11 Hatebur, Heisel, Jürjens, Schmidt: Systematic Development of UMLsec Design Models Based on Security Requirements. FASE’11 Jan Jürjens: Security for Changing Software and Systems 7/19
Refinement: Problem For behaviour preserving refinement, one would expect preservation of behavioural requirements. „ Refinement Paradox “: Surprisingly, in general not true [Roscoe‘ 96]. Example: In above example, transition rx()/return(true) [money+x>=1000] (resp. false ) is refinement of „ secure “ transition [money+x<1000] rx()/return(random_bool) . Problem: Mixing non-determinism as under-specification resp. as security mechanism. Jan Jürjens: Security for Changing Software and Systems 8/19
Refinement: Solution Our specification approach separates non-determinism as under-specification resp. as security mechanism. Result : Refinement now preserves behavioural requirements. Proof: using formal semantics. Above example: with our approach: not a refinement. Jan Jürjens: Security for Changing Software and Systems 9/19
Modularization: Problem Problem : Behavioural requirements in general not compositional. Above example: States ExtraService and NoExtraService each „ secure “ ( only one return value for rx ), but composition in statechart not. [money+x>=1000] [money+x<1000] Under which condition are requirements preserved ? Jan Jürjens: Security for Changing Software and Systems 10/19
Modularization: (A) Solution Solution : Formalize requirement as „rely - guarantee“ -property. Result : Using this formalization, get conditions for compositionality. Proof: using formal semantics. Above example: Rely-guarantee formalization shows that [money+x>=1000] secure composition impossible. [money+x<1000] Jan Jürjens: Security for Changing Software and Systems 11/19
Evolution-based Verification Evolution-based Verification – Idea: • Initial verification: Tool registers which model elements relevant for verification of given requirement. • ... Store in verified model, together with partial results („ proof-carrying models “). • Discovered conditions on changes such that requirement preserved. • Compute difference between old and new model (e.g. using SiDiff [Kelter] ). • Only need to re-verify model parts which 1) were relevant in the initial verification, 2) have changed, and 3) which don‘t satisfy the above-mentioned conditions. Significant verification speed-up compared to simple re-verification. Wenzel, Warzecha, Jürjens, Ochoa: UMLchange – Specifying Model Changes to Support Security Verification of Potential Evolution. Journal of Computer Standards & Interfaces, 2013. Jan Jürjens: Security for Changing Software and Systems 12/19
Evolution-based Verification: Example Preservation condition for secure information flow at evolution M → M‘: Only consider states s , s‘ for which: • s ≈ pub s‘ in M‘ but not in M, or • s.t(m) ≈ pub s‘.t (m) in M but not in M‘. M → M’ [money+x>=1000] [money+x>=1000] [money+x<1000] [money+x<1000] Example: wm(0).rx() ≈ pub wm(1000).rx() in M but not in M ‘. Shows that M‘ violates secure information flow (confidential data 0 and 1000 distinguishable). Jan Jürjens: Security for Changing Software and Systems 13/19
Model-code Traceability under Evolution Goal: Preserve model-code traceability during evolution. Idea : Reduce evolution to: • Adding / deleting model elements. • Supporting refactoring operations. => Approach for automated model-code traceability based on refactoring scripts in Eclipse. [Bauer, Jürjens, Yu: Run- Time Security Traceability for Evolving Systems. Computer Journal ‘11] Jan Jürjens: Security for Changing Software and Systems 14/19
Code Verification subject to Evolution Use evolution-based model verification and model- p code traceability for evolution-aware code g verification using static analysis. Example: Condition in sequence diagram correctly checked in implementation. All paths from p Project Csec (with Microsoft Research Cambridge): to q check g. Implemented static analysis, found several weaknesses. q p Aizatulin, Gordon, Jürjens: Computational Verification of C Protocol Implementations by Symbolic Execution. CCS’12 Aizatulin, Gordon, Jürjens: Extracting and verifying cryptographic models from C protocol code by symbolic execution. CCS’11 q g Jan Jürjens: Security for Changing Software and Systems 15/19 15
Run-time Verification subject to Evolution Relevant versions of source code not always available => run-time monitoring. Relevant approach in the literature: Security Automata [F.B. Schneider 2000] . Problem: no evolution and only „ safety “ -properties supported (too restrictive e.g. for secure information flow). So: New approach, based on runtime verification (based on techniques from model-checking and testing). Formalize requirement to be monitored in LTL. Runtime verification in a nutshell Property Continuous monitoring of system events through automatic generation of monitors generated from the models, with evolution-based traceability. Monitor System Property Including non-safety-properties (using 3-valued fulfilled? LTL-semantics). Actions t Example results : Bauer, Jürjens. Runtime Verification of Crypto-graphic Protocols. Computers & Security ’10 Pironti, Jürjens. Formally-Based Black-Box Monitoring of Security Protocols. ESSOS’10 Jan Jürjens: Security for Changing Software and Systems 16/19
Recommend
More recommend
